CVE-2026-31838

Istio HTTP debug endpoints on port 15014 to enforce namespace-based authorization, preventing cross-namespace proxy data access.

Description

Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a vulnerability in Envoy RBAC header matching could allow authorization policy bypass when policies rely on HTTP headers that may contain multiple values. An attacker could craft requests with multiple header values in a way that causes Envoy to evaluate the header differently than intended, potentially bypassing authorization checks. This may allow unauthorized requests to reach protected services when policies depend on such header-based matching conditions. This vulnerability is fixed in 1.29.1, 1.28.5, and 1.27.8.

INFO

Published Date :

2026-03-10T21:58:53.354Z

Last Modified :

2026-04-07T02:39:59.774Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-31838 vulnerability.

Vendors	Products
Istio	Istio

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-31838.

URL	Resource
https://github.com/istio/istio/commit/004fd6921314a8e2293fd195d91645dcbbff0aa1
https://github.com/istio/istio/security/advisories/GHSA-974c-2wxh-g4ww
https://nvd.nist.gov/vuln/detail/CVE-2026-31838
https://www.cve.org/CVERecord?id=CVE-2026-31838